• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 770
  • Last Modified:

NTFS permission

We failed on backup job due to many Access Denied files.
Because there are many folders/files, it is impossible to add it one by one manually.
How can we add domain admins group to all folders/files with out affect existing NTFS security permissions?
We are using 2003R2 server in AD environment.
Thank you.
5 Solutions
sounds like you may need to revisit the entire structure of your security and inheritance etc.

If you add the admin at the root you still wont have access to folders where the admin has been removed, and inheritance turned off.

Backup Admin should always have access to everything, and  you need to make sure it is set that way.

CACLS and similar may be helpful.
test carefully before implementing.

I hope this helps !
Use "modacl" , using this utility you can apply/remove permission of a group recursively or otherwise on a folder without affecting the existing permission.
7 new features that'll make your work life better

It’s our mission to create a product that solves the huge challenges you face at work every day. In case you missed it, here are 7 delightful things we've added recently to monday to make it even more awesome.

If you decide to use modacl then download SuperCACLs 3.0 from Trusted Systems Services..
Users of Backup Operators group have access to all files and folders whether they have NTFS permission on that folder/file or not. I suggest you create a user and put that user in Backup Operators group and run the backup tasks with delegation of that user.
Firstly check what account you are using to run the backup job, then add that account to the local servers backup operators group:
Start > Run > compmgmt.msc > System Tools > Local Users and Groups > backup operators

Second check your VSS writers are stable.
Start >run> CMD > Vssadmin List Writers
Each writer should come back as Stable and No errors. If the writers are in a failed state you may need to restart the server or take further action.

Third check the Volume shadow copy service is set to start Manually and the logon account is the system account:

Start >run>services.msc>Volume Shadow Copy service
Krzysztof PytkoSenior Active Directory EngineerCommented:
I would recommend SubInACL from Microsoft. It is easy in use and very powerful. You can download it at
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now